1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
Return-Path: <lf-lists@mattcorallo.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 92B04C0001
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 15 Mar 2021 23:19:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with UTF8SMTP id 8DE994EC17
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 15 Mar 2021 23:19:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=mattcorallo.com
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with UTF8SMTP id UWMtI-CI1YOB
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 15 Mar 2021 23:19:25 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
Received: from mail.as397444.net (mail.as397444.net
[IPv6:2620:6e:a000:dead:beef:15:bad:f00d])
by smtp4.osuosl.org (Postfix) with UTF8SMTPS id 4D26A4EC11
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 15 Mar 2021 23:19:25 +0000 (UTC)
Received: by mail.as397444.net (Postfix) with UTF8SMTPSA id 02BE44E29AD;
Mon, 15 Mar 2021 23:19:22 +0000 (UTC)
X-DKIM-Note: Keys used to sign are likely public at https://as397444.net/dkim/
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mattcorallo.com;
s=1615848063; t=1615850363;
bh=VJJ1s2VkMH2V46BIUDhbPnU/h66viu50rkDICi07f0U=;
h=Date:Subject:To:References:From:In-Reply-To:From;
b=pdLeL8JqNL4XXHB3MhYzr7YVB7U7/0LjS+QCxW8ecgvWiZ/ajxBuakaNJgEGDK9L6
tobLSW7BPLi1MWBoHAyEHJs0iAuaRgH8Nl7w0tjRHSmNP3QWRoB4oPDVmHLBdXgEYB
3xcrrRDbxnt6PFqsM/m8nLBM4g1XEvlkJuGa5p4ASCZV70vr0xdKesx1743Q8o+YEo
GdRN1O1dva67Jzh6h3p9kW07igsTepVGFF+AA4sRr1m2+WbAzekUmQPq4WJBPCViNO
oxq8owtBO8vktp46s8lzMjLhxKDv1EBR3VE28w5+2GLVDDOKivn35JHSCl972YT2It
/vt964+hniDEA==
Message-ID: <36e4177f-77c5-be1d-7fa7-eca3d594bc37@mattcorallo.com>
Date: Mon, 15 Mar 2021 19:19:22 -0400
MIME-Version: 1.0
Content-Language: en-US
To: Karl-Johan Alm <karljohan-alm@garage.co.jp>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <202103152148.15477.luke@dashjr.org>
<a88cd471-fdc9-de35-86cd-595b387249c8@mattcorallo.com>
<CAD5xwhi82fjRB4Ceb6Gnp+LvTweWjwFRmWU5zD-3o6s_GoEvPw@mail.gmail.com>
<a4b9df55-b95b-9c95-62ea-7bf6eeec113d@mattcorallo.com>
<CALJw2w4hBk1pZrV7E6FNDPDCWH=T_S6qAHGKvRC6JsT9iZevfg@mail.gmail.com>
From: Matt Corallo <lf-lists@mattcorallo.com>
In-Reply-To: <CALJw2w4hBk1pZrV7E6FNDPDCWH=T_S6qAHGKvRC6JsT9iZevfg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [bitcoin-dev] PSA: Taproot loss of quantum protections
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2021 23:19:26 -0000
Right, totally. There was substantial debate on the likelihood of such a QC existing (ie a slow one) on the original
thread several years ago, but ignoring that, my broader point was about the address reuse issue. Given that, there's
just not much we can do with the existing hash-indirection.
Matt
On 3/15/21 19:01, Karl-Johan Alm via bitcoin-dev wrote:
> On Tue, 16 Mar 2021 at 07:48, Matt Corallo via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> Overall, the tradeoffs here seem ludicrous, given that any QC issues in Bitcoin need to be solved in another way, and
>> can't practically be solved by just relying on the existing hash indirection.
>
> The important distinction here is that, with hashes, an attacker has
> to race against the spending transaction confirming, whereas with
> naked pubkeys, the attacker doesn't have to wait for a spend to occur,
> drastically increasing the available time to attack.
>
> It may initially take months to break a single key. In such a
> scenario, anyone with a hashed pubkey would be completely safe* (even
> at spend time), until that speeds up significantly, while Super Secure
> Exchange X with an ultra-cold 38-of-38 multisig setup using Taproot
> would have a timer ticking, since the attacker need only find a single
> privkey like with any old P2PK output.
>
> (* assuming no address reuse)
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
|
